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Abstract — Smart meters are key elements for the operation 
of smart grids. By providing near realtime information on the 
energy consumption of individual users, smart meters increase 
the efficiency in generation, distribution and storage of energy 
in a smart grid. The ability of the utility provider to track 
users' energy consumption inevitably leads to important threats 
to privacy. In this paper, privacy in a smart metering system is 
studied from an information theoretic perspective in the presence 
of energy harvesting and storage units. It is shown that energy 
harvesting provides increased privacy by diversifying the energy 
source, while a storage device can be used to increase both the 
energy efficiency and the privacy of the user. For given input 
load and energy harvesting rates, it is shown that there exists 
a trade-off between the information leakage rate, which is used 
to measure the privacy of the user, and the wasted energy rate, 
which is a measure of the energy-efficiency. The impact of the 
energy harvesting rate and the size of the storage device on this 
trade-off is also studied. 

Index Terms — Data privacy, energy-efficiency, energy harvest- 
ing, information theoretic security, rechargeable batteries, smart 
meters, smart grids. 



I. Introduction 

A smart grid (SG) is an energy network that manages and 
controls energy generation and distribution more efficiently 
and intelligently by following the users' energy demands in 
real-time through computer and communication technologies. 
Transition from traditional power grids to SGs are expected to 
have a revolutionary effect on future energy networks fll], [f2). 
SGs can yield energy efficiency through savings in generation 
and transmission of energy, reduce costs on both the user and 
the utility provider (UP) sides, and increase reliability and 
robustness. They also provide important environmental bene- 
fits by reducing the carbon footprint and integrating renewable 
energy sources into the energy network. Introducing alternative 
energy sources and energy storage devices into the network 
will significantly reduce the load on the energy network and 
improve its efficiency. For instance, plug-in electric vehicles on 
the distribution grid can be used for distributed energy storage 
by means of their rechargeable batteries (RBs) JTJ. Similarly, 
renewable energy sources can be integrated into the energy 
network through energy harvesting (EH) devices, which can 
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Fig. 1. A smart-meter (SM) system diagram with energy and information 
flows. The user, in addition to its connection to the energy grid, also has an 
EH device and an RB at its use. The energy flow in the system is managed 
by the energy management unit (EMU). The SM reads only the energy that 
is supplied by the UP at each interval. The readings are reported to the UP 
correctly without any tempering, but potentially in an encrypted manner. 



generate energy from ambient sources such as solar, thermal 
or wind, and reduce the users' dependence on the grid 10]. 

To exploit these potential benefits, the components of an 
SG are connected through a two-way communication network 
that allows the exchange of information in real time among 
the users and the UP. This enables real-time optimization of 
load management in SGs 0. An important component of 
this critical data network for SGs is the advanced metering 
system. Smart meters (SMs) are communication devices that 
measure the energy consumption of the users and transmit 
their readings to the UP in real time. Currently, a typical 
smart-meter reports the energy consumption readings to the 
UP every 15 minutes; however, the measuring frequency is 
expected to increase in the near future to provide near real- 
time energy consumption data to the UP. Significant energy 
savings have been reported even solely based on the user's in- 
creased awareness of his/her real-time energy consumption 0. 
However, despite their potential for increasing the efficiency 
of energy distribution networks, SG technologies, in particular 
smart metering systems, raise important privacy and security 
concerns for the users 0, 0, Q. 

SM data can be easily analyzed for surveillance pur- 



poses by tracking appliance usage patterns, employing non- 
intrusive appliance load monitors and data mining algo- 
rithms JH, ill, [TO). At the very least, through SM readings 
it is possible to infer whether a user is at home or not. 
But, through more advanced pattern recognition techniques, 
energy consumption patterns of individual appliances can be 
identified with high accuracy even when the SM can read 
only the aggregated household energy consumption ifTTl . As 
a striking example, [12| illustrates the possibility of detecting 
the channel displayed on a television, and even identifying the 
content, just by analyzing the power profile of the household. 
Even assuming that the SM readings are transmitted to the 
UP in an encrypted manner, preventing third parties from 
accessing the user's private energy consumption data, the 
UP will receive significant personal information about the 
user. Thus, even if only partially, assuring the privacy of the 
household's electrical load profile is essential for users. 

In this work, we study SM privacy from the fundamental 
information theoretic perspective. We measure the privacy of 
the user's energy profile with respect to the UP in terms 
of the information leakage rate, which denotes the mutual 
information rate between the real energy consumption of 
the appliances and the SM readings. Using Shannon entropy 
to measure privacy is not new. Minimizing the information 
leakage rate is equivalent to maximizing the equivocation, 
which was introduced by Shannon in lfl3l in the context of se- 
cure communications. Mutual information has previously been 
proposed as a measure of privacy in SMs in lfl4l . lfT31 . lTT6l 
and [17]. Modeling the input load as a discrete time random 
process, information leakage rate measures the amount of 
information the UP learns about the input load after observing 
the output load, i.e., the energy requested by the user. We 
assume that the UP may know the statistics of the input load 
as well as the stochastic behavior of the energy management 
policy; however, it cannot observe the input load or harvested 
energy directly. The UP has to estimate the realization of 
the input load based on its statistical knowledge and its 
observation of the output load. The user wants to minimize 
the information leakage rate to achieve the highest level of 
privacy. While cryptographic algorithms rely on mathematical 
operations and the complexity of their computation by using 
encryption keys, information theoretic security does not de- 
pend on encryption keys and assures reliable privacy regardless 
of the computational power of an intruder, the UP in our 
case Ifl8l . 

Building on our previous work lfl9l . we study the privacy 
of an SM system from the perspective of a single user. In our 
system model, depicted in Fig. Q] we integrate an EH device 
as an alternative energy source and an RB as an energy storage 
unit. The energy flow is managed by the energy management 
unit (EMU). We consider a discrete time system. At each time 
instant i, the appliances request a certain amount of energy, 
denoted by Xi. This amount is reported to the EMU which is 
responsible for providing this exact amount to the appliances; 
that is, we do not allow energy outages or rescheduling of 
appliance operations in this work. We also consider only 
the real power consumption of the devices and assume that 
the SM only reads and reports this quantity. Moreover, we 



also ignore inefficiencies and mismatches in providing the 
energy requirement of the appliances from different energy 
sources, and consider only the energy that is consumed by 
the appliances. The EMU has access to three different energy 
sources : the energy grid, the EH device and the energy storage 
unit. At any time instant it can provide the energy requested 
by the appliances from one or more of these sources. The goal 
of the EMU is to increase both the energy efficiency of the 
system and the privacy of the user. 

We employ stochastic battery policies based on the har- 
vested energy, energy demand of the appliances and the state 
of the storage unit. We model the energy generation profile of 
an EH device as a stochastic process whose behavior depends 
on the characteristics of the underlying energy source and the 
device itself. Therefore, it is likely that the harvested energy 
sometimes does not match the energy required by the system 
and the extra energy would be wasted if not stored. Introducing 
an RB for energy storage into the system is essential for 
better utilization of the harvested energy. On the other hand, 
considering the increasing use of alternative energy sources 
(such as solar panels) by households, and the availability 
of rechargeable storage units (such as electric vehicles) with 
significantly large storage capacities, it is meaningful to exploit 
these devices not only to decrease the dependency on the 
SG and to increase the energy efficiency, but also to provide 
additional privacy for the users. The equivocation of the UP 
about the real energy consumption can be manipulated by 
charging and discharging the RB and by using the harvested 
energy. Hence, the benefits of the RB are twofold: i) it can 
increase the energy efficiency of the system by storing extra 
harvested energy; and ii) it can increase the privacy of the 
user by hiding the energy consumption profile from the UP. 
We show in this paper that there exists a trade-off between 
energy efficiency and privacy for the optimal EMU operation, 
and the operating point on this trade-off can be chosen based 
on the privacy sensitivity of the underlying input load and the 
cost of energy. 

The main contributions of this work can be summarized as 
follows : 

1) We introduce an energy efficiency -privacy trade-off in 
a smart meter system considering the availability of an 
EH device and an RB. To the best of our knowledge, 
this is the first work that provides an analytical study on 
the effect of an alternative energy source on SM privacy. 

2) Focusing on a discrete-time system model we study the 
effect of energy harvesting rate on the energy efficiency- 
privacy trade-off. 

3) We illustrate numerically that the increased battery ca- 
pacity significantly reduces the information leakage rate. 

4) While no grid energy is allowed to be wasted in the 
above analysis, we also study the increased privacy that 
can be achieved by wasting the grid energy for very 
sensitive applications. 

We use the following notation in the rest of the paper. 
Random variables are denoted with uppercase letters, e.g., 
X, and their realizations are denoted with lowercase letters, 
e.g., x. A random variable takes values from a finite set X 



following a probability mass function px(x). The subscript 
X will be omitted when it is obvious from the context. An 
n-length random sequence is denoted by X n = X\, . . . , X n . 
E[X] denotes the expectation of the random variable X. The 
entropy of a random variable X is defined by 

H(X)±-J2p(x)tegp(x). (1) 

H(-\-) and H(-, •) denote conditional entropy and joint en- 
tropy, respectively, which are defined similarly. The mutual 
information between random variables X and Y is defined as 

I(X;Y) = H(X)-H(X\Y). (2) 

The rest of the paper is organized as follows. In Section HI] 
we summarize some of the related work on privacy issues in 
SM systems. In Section [Till we introduce the system model. 
Section llVl describes the technique to compute the information 
leakage rate. In Section|V] we present our results and compare 
them with the existing results in the literature. Finally, we 
conclude our work in Section [VI] 

II. Related Work 

In recent years SMs have gained increasing popularity with 
growing support from the UPs and governments with the 
promise of increased energy efficiency. This also has raised 
privacy issues, and the literature in this field is growing rapidly. 
Various techniques have recently been proposed to provide a 
certain level of privacy for SM users. Anonymization [20], ag- 
gregation [21 1, homomorphism 11221 and obfuscation 11231 are 
some of the techniques that have been studied in the literature. 
In ||24| . the authors present a method for establishing privacy 
assurances in terms of differential privacy, i.e., RB is used 
to modify the energy consumption by adding or subtracting 
noise and thereby, the energy consumption of the individual 
appliances can be hidden. Moreover, they also consider various 
constraints on the RB such as capacity and throughput. In [25 1 
a method to provide privacy against potential non-intrusive 
load monitoring techniques is proposed. A non-intrusive load- 
leveling algorithm is used to flatten the consumption of the 
user by means of an RB. Similarly, 1171 proposes three 
techniques, i.e., fuzzing, targeted entropy maximization and 
targeted fuzzing. The authors intend to obfuscate the load by 
masking the individual loads with the use of an RB. Basically, 
fuzzing changes the load randomly over an interval, the 
targeted entropy maximization technique chooses the desired 
load level that maximizes the entropy of possible individual 
events, and targeted fuzzing builds a probability distribution 
to do so. 

Most of the earlier work on SM privacy assumes that 
the user has control over the smart-meter readings and can 
manipulate these readings before sending the data to the UR 
For example, Bohli et al. (21 1 propose sending the aggregated 
energy consumption of a group of users to the UR Li et 
al. 11261 consider using compressed sensing techniques for 
the transmission of the SM reading of active users based on 
the assumption that SM data transmission is bursty. Bartoli 
et al. [27 1 propose data aggregation together with encryption 



to forward smart meter readings. Marmol et al. [28 1 propose 
using "additively homomorphic encryption", which allows 
the UP to decode only the total energy consumption of a 
group of users while keeping the individual readings secure. 
Rajagopalan et al. [29 1 propose compression of the smart- 
meter data before being transmitted to the UP. Unlike this line 
of research, we assume that the SM reads the amount of energy 
that the user gets from the grid at each time interval and the 
meter readings are reported to the UP without being tempered 
by the user. Hence, privacy in our model is achieved by 
differentiating the output load, i.e., the energy received from 
the UP, from the input load, i.e., the real energy consumption 
of the user, as much as possible. 

A similar approach has been taken in some other previous 
work as well. RBs have been proposed to partially obscure 
the energy consumption of the user in lfl4l . Ifl6l . [24], [25| 
and (30l . The main goal of the proposed energy management 
algorithms in these papers is to protect the privacy of the user. 
References [14| and ll30l study variational distance, cluster 
similarity and regression analysis to measure privacy and 
propose various heuristic techniques, such as the best-effort 
and power mixing algorithms. A discrete-time system model 
is considered in [ 16 1 and stochastic battery policies are studied 
with mutual information between the input and output loads as 
the measure of privacy. In ll3TI a similar information theoretic 
privacy analysis is carried out in the presence of an EH device 
that can provide energy limited by peak and average power 
constraints. 

III. System Model 

We study the energy input/output system illustrated in 
Fig. Q] under a discrete-time system model. The input load 
Xi represents the total energy demand of the appliances at 
time instant i. The output load Y$ denotes the amount of 
energy that the system requests from the UP, while Zi denotes 
the amount of harvested energy at time instant i. We assume 
that there is a minimum unit of energy; and hence, at each 
time instant i, the input load, harvested energy and output 
load are all integer multiples of this energy unit. Over time, 
we assume that the input load X n — X±,X2,...,X n is 
an independent and identically distributed (i.i.d.) sequence 
with marginal distribution px over X = {0, 1, ... , N}. The 
harvested energy is also modelled as a discrete time stochastic 
process, where Z n = Z\, . . . , Z n is an i.i.d. sequence 
with marginal distribution pz over Z = {0, 1, . . . , M}. The 
characteristics of the EH distribution, pz, depend on the design 
of the energy harvester. For example, for a solar energy 
harvester the average harvested energy can be increased by 
scaling the size and the efficiency of the solar panel. Note 
that the energy consumed by the appliances and the harvested 
energy are independent of each other. 

The output load is the amount of energy that is demanded 
from the UP, and is denoted by Y n = Y\, Y 2 , . . . ,Y„ with Fj 
taking values in y = {0, 1, . . . , L}. We denote the energy in 
the battery at time instant i by Bi. We assume that the RB 
has a maximum capacity of K energy units, i.e., Bi < K, V«, 
while the system is not bounded by the maximum amount of 



energy that can be provided by the UP, i.e., L > (N + K % 
We consider stochastic energy management policies at the 
EMU that depend on the instantaneous input load, harvested 
energy and the battery state. An energy management policy 
maps the energy requested by the appliances, Xi, the harvested 
energy, Zi, and the battery state, .Bj_i, to the output load, 
Yi, and the next battery state, Bi. Note that in general a 
larger set of energy management policies is possible. The 
EMU can decide its actions based on all the past input/output 
loads, harvested energy amounts and the battery states. For 
example [16| considers policies that take into account the 
previous output load, Yi—\. Similarly, the best effort policy 
proposed in 11301 . in which the EMU aims to keep the output 
load value as stable as possible, is simply a special case of the 
battery /output load conditioned policies in JT6). To keep the 
complexity of possible energy management policies simple, 
we restrict our attention to energy management policies that 
depend only on (Xi, Zi,Bi_\), and satisfy 



by an energy management policy, we define the wasted energy 
rate as follows: 



[Bi-B^ + YitXi 



(3) 



which guarantees that the energy demand of the appliances is 
always satisfied. 

We assume that the SM provides the output load Yi at each 
time instant to the UP perfectly. That is, we do not allow the 
user to manipulate the SM reading. Moreover, we also assume 
that px and pz are known by the UP, whereas no information 
about the realizations of either the input process x n , or the 
EH process z n , is available at the UP, which observes only 
the output load, y n . The equivocation, H(X n \Y n ), measures 
the uncertainty of the UP about the real energy consumption 
after observing the output load. We have, 



H(X n \Y n ) = H(X n ) - I(X n ; Y r ' 



(4) 



Since H(X n ) is a characteristic of the appliances and is as- 
sumed to be known, the EMU tries to minimize I(X n ; Y n ) in 
order to maximize the equivocation. Accordingly, the privacy 
achieved by an energy management policy is measured by the 
information leakage rate, defined as 



J p 4 lim il(X n ;Y n ), 

n— >oo n 



(5) 



where X n = (X 1 ,X 2 ,..., X n ), Y n = (Y 1 ,Y 2 ,..., Y n ), and 
I(X n ; Y n ) is the mutual information between vectors X n and 

Due to the finite capacity of the RB and the stochastic nature 
of the input and EH processes, some of the harvested energy 
will be wasted. To measure the proportion of the energy wasted 

'The energy we consider in this model is the real energy measured by the 
smart meter and we ignore the reactive power or the power factor which can 
also be used to make deductions about the input load. Moreover, we also 
assume that the energy demand of the appliances is satisfied by transferring 
an equivalent amount of energy from the RB, EH unit or UP; that is, we do 
not consider the effect of the supply voltage, frequency or the characteristics 
of the appliances on the amount of energy that needs to be requested from 
the corresponding energy source. Such quantities could also be incorporated 
into our model by considering vector-valued measurements, but this added 
complexity is not necessary for studying the fundamental trade-offs considered 
here. 
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— lim - V {Zi + Y-X t 



(6) 



We say that an information leakage-wasted energy rate pair 
(I p ,E w ) is achievable if there exists an energy management 
policy satisfying (0 and ||6}. The closure of the set of all 
achievable rate pairs is called the rate region T. In general 
the energy management policy that minimizes the information 
leakage rate does not necessarily minimize the wasted energy 
rate. From the classical time-sharing arguments ll32l we can 
readily see that the rate region T is convex. Since the region 
is also closed by definition, it is sufficient to identify the 
boundary of region T, which characterizes the optimal trade- 
off between privacy and energy efficiency. 

To illustrate the privacy benefits of having an EH device, we 
first consider a system without an RB. In this case, the EMU 
uses as much as possible from the harvested energy, and asks 
for energy from the UP only when the harvested energy is 
not sufficient. Therefore, we can define Yi as a deterministic 
function of Xi and Zi as follows: 

v _ i v 7 s+A J Xi- Z h if Xi — Zi > 0, 

y, - (Xi -z^ -< ^ . f x _ _ Zi < Q (?) 



In general, it is possible to ask for energy from the UP even 
when Xi = 0. This will increase the privacy by confusing 
the UP, but waste energy. We do not allow wasting energy 
from the UP unless otherwise stated, as this would be costly 
in practical systems. Obviously, when there is no harvested 
energy, i.e., Pr{Z = 0} = 1, then we have Yi — Xi for 
Vi, and I p = ~H(X n ) = H(X), i.e., the UP knows the 
input load perfectly. On the other hand, if there is always 
harvested energy sufficient to supply the appliances, i.e., M = 
N and Pr{Z = N} = 1, then Yi = for Vi, and we have 
I p = 0. When I p — we say that perfect privacy is achieved. 
Basically, as we harvest more and more energy, we reduce our 
dependence on the grid energy, and decrease the information 
leaked to the UP about our real energy consumption. However, 
note that, at each time instant harvested energy that is not used 
by the consumer is wasted. For example, when Pr{Z = N} = 
1, we have E w = N - E[X) while E w = when Vi{Z = 
0} = 1. In other words, there is a trade-off between privacy 
and energy efficiency provided by the EH unit. Introducing 
an RB into this system will have a dual use and improve this 
trade-off. RBs can act as a filter for the energy usage profile 
and decrease I p further while reducing the wasted energy at 
the same time. 

Due to the discrete time nature of the system, it can be 
represented by a finite state model (FSM) lTT6l . The FSM 
representation of the system with all the transitions and states 
evolving as a Markov chain depends on the input load level N, 
the output load level L, the harvested energy level M and the 
RB capacity K. As we have mentioned earlier, we consider 
energy management policies that depend only on the current 



input load Xi, harvested energy Zi, and the previous battery 
state i?i_Jl. We have s = (K + 1) states in our FSM, where 
state bi denotes the state of the RB, i.e., the amount of energy 
stored in the RB at time i. We assume 60 = 0. The battery 
conditioned transitions occur from state bi to frj+i depending 
on the battery state bi, the input load Xi+i and the harvested 
energy 2^+1 . The FSM is simply a Markov chain, and the 
transitions specify the map to proceed in the chain. Possible 
transitions are depicted in Fig. |2]for different (x, z, y) triplets 
and transition probabilities. 

A. A Simplified Binary Model 

Similarly to lfl6l to keep the presentation and the numerical 
analysis simple, we initially consider a binary model; that is, 
we assume N = L = M = K = 1. However, we note here 
that the following arguments and evaluation techniques extend 
to non-binary models directly. From a practical perspective, 
this binary model corresponds to a system with a single 
appliance that can be ON or OFF at various time instants with 
a certain probability, and both the capacity of the RB and the 
energy generated by the EH are equivalent to the energy used 
by this device when it is ON. In Sections IV-CI and IV-DI we 
will consider non-binary battery capacity cases as well. 

While the energy management policies can be time-varying 
in general, we consider time-invariant fixed policies in which 
the transition probabilities and parameters of the policy are 
fixed throughout the operation. The probability distributions of 
the input load and the harvested energy are chosen as Bernoulli 
distributions, i.e., Pr{JT = 1} = p x and Pi{Z = 1} = p z , 
respectively. The output load Y n is also a binary sequence 
which can provide or 1 units of energy to the input load at 
any time instant i. Battery state bi = denotes that the RB 
is empty while 6, = 1 denotes that the RB is fully charged 
at time instant i. We assume that within each time duration, 
i to i + 1, the RB can be charged to battery state, bi = 1, 
discharged to battery state, bi = 0, or remain in the same 
state depending on the transition probabilities. We do not take 
into consideration the charging and discharging rates of the 
RB, and assume that this time duration is enough for fully 
charging or discharging. 

Let the RB be discharged at time instant i, i.e., bi = 0. 
There are six possible transitions that can occur as illustrated 
in Fig. |2 If the appliances demand zero energy and no energy 
is harvested, i.e., (xj+i = 0, Zj+i = 0), the EMU chooses 
either to charge the RB by asking energy from the UR i.e., 
(yi+i — = 1) with probability pgi' or keeps the 

RB discharged, i.e., (yi+i = 0, = 0) with probability 
(1 — Pol)' ^ th e appliances demand zero energy and one unit 
of energy is harvested, i.e., (x i+ i — 0, z i+ i — 1), the UP 
does not provide any energy to prevent waste and the RB is 
charged with harvested energy, i.e., (j/i+i = 0, 6,+i = 1). If 
the appliances demand one unit of energy and no energy is 
harvested, i.e., (xi+± = = 0), the UP must provide 

2 In 1161 in addition to battery conditioned policies, battery/output load 
conditioned policies are also studied. However, the authors indicate that they 
have not found any battery/output load conditioned policy that performs better 
than the optimal policy that acts solely based on the battery state. We have 
made the same observation in our numerical analysis. 




Fig. 2. Finite state diagram for the battery conditioned energy management 
policy with s = 2 states. Each triplet in the figure corresponds to the 
(x,z,y) values for the corresponding transition. Transition probabilities are 
also included in the figure. 

one unit of energy to fulfill the energy demand and the 
RB remains discharged, i.e., (yi+i = = 0). If the 

appliances demand one unit of energy and one unit of energy 
is harvested at the same time, i.e., (a^+i = l,Zj+x = 1), 
either the RB is charged by means of the output load, i.e., 
(yi+i = 1, = 1) with probability pgi> or it remains 
discharged, i.e., (yi+i = 0, fej+i = 0) with probability 

Similarly, let the RB be charged at time instant i, i.e., 
bi = 1. In this case, there are five possible transitions that 
can occur as depicted in Fig. If the appliances demand zero 
energy and no energy is harvested, i.e., (xi + i = 0, Zi + i = 0), 
the UP does not provide energy so as not to cause waste 
and the RB remains charged, i.e., (yi+\ = 0, b i+1 = 1). If 
the appliances demand zero energy and one unit of energy 
is harvested, i.e., (xi + i = 0, = 1), the UP is not 
expected to provide any energy and the RB remains charged, 
i.e., (j/i+i = 0, = 1), while the harvested energy is 
wasted in this situation. If the appliances demand one unit of 
energy and no energy is harvested, i.e., (xi+i = 1, z^+i = 0), 
the EMU chooses between keeping the RB charged, i.e., 
(yi+i = 1, &t+i = 1) with probability (1— pio)> or discharging 
it, i.e., (yi+i = 0, 6,_|_i = 0) with probability pio. If the 
appliances demand one unit of energy and one unit of energy 
is harvested, i.e., = l,Zj+i = 1), there is no need to 

ask for energy from the UP and the RB remains charged, i.e., 
(j/i+i = 0, h+i = !)■ 

IV. Information Leakage Rate Computation 

In this section we focus on the computation of the informa- 
tion leakage rate, I p . From an information theoretic perspective 
the operation of the EMU which decides on the energy flow 
in the system using the EH and RB units resembles data 
compression where the compression is accomplished through 
a finite state machine. In this analogy, the input load X n 
corresponds to an i.i.d. data sequence to be compressed, and 
the output load Y n is the compressed version. The problem 
is similar to a rate-distortion problem in which the goal is to 
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Fig. 3. Minimum information leakage rate, I p , and the corresponding wasted 
energy rate, E w , with respect to harvested energy rate for an EH system with 
and without an RB. 



minimize the mutual information between the source sequence 
and the compressed version while satisfying the distortion 
requirement. In our model, the energy provided from the 
EH device is similar to a distortion requirement. While we 
want to minimize the mutual information between the original 
data sequence and the compressed version, we are limited 
by the allowed distortion, the available harvested energy in 
our case. A different rate-distortion approach for the SM 
privacy problem is taken in 0291 . In ||29l the SM is allowed to 
introduce a certain amount of distortion to its readings before 
reporting them to the UP, while in our setting distortion is 
introduced on the real energy consumption values, making the 
rate-distortion formulation less explicit. See ll3T| for more on 
the connection with the rate-distortion theory, where a single- 
letter information theoretic expression is obtained for the 
optimal privacy in the absence of an RB. Due to the memory 
introduced into the system through the battery, a single letter 
expression is elusive for our problem. However, for a fixed 
EMU policy, the information leakage rate I p between the 
input and the output loads can be estimated numerically using 
the computation method studied in l33l . In the following we 
summarize this computation method. 

We first set the values for the transition probabilities 
and the number of states s in the FSM. For instance, we 
specify {Poi'Poi'Pio} labeled on Fig. [2] for s — 2, i.e., 
b. L £ {0, 1}. Afterwards, we sample very long sequences (large 
n) of X n , Z n and Y n by using the FSM. We then com- 
pute p(yi,y 2 , ■■■ ,y n ) and p(x 1} x 2 , ■ ■ ■ ,x n ,y 1 ,y 2 , ■ ■ ■ ,y n )- 
Finally, the information leakage rate I p between X n and Y n 
is estimated as follows: 



1 



[H(X n ) + H(Y n ) - H(X n ,Y n ) 



1 



k, H{X) logp(yi,y 2 ,-- - ,y n ) 

n 

+ - logp(xi,x 2 , ■ ■ • ,x n ,yi,y 2 ,-- - ,Vn)- 



(8) 



The FSM can be represented as a trellis diagram 
with the state sequence {sq, s±, ■ ■ ■ , s n } for the 



computation of the probabilities p(yi,y 2 , ■ ■ ■ ,y n ) and 
p(xi,x 2 , ■ ■ ■ ,x n ,y 1 ,y 2 , ■ ■ ■ ,y n ). This computation is 
basically the forward sum-product recursion of the BCJR 
algorithm [34|. We define the state metrics as follows: 



MfcOfc) =p(sk,yi,V2,--- ,Vk), (9) 
vk{s k ) = p(s k ,x 1 ,x 2 , - ■ ■ ,x k ,yi,y 2 , ■ ■ ■ ,y k )- (10) 

Initially, we set the state metrics as follows: 

Mo(0) = 1) fo(0) = 1, MoM = 0, u (m) = 0, for m ^ 0. 

Here, we emphasize that the initial values of the state 
metrics do not affect the final values of p(yi,y 2 , ■ ■ ■ , y n ) and 
p(xi,x 2 , ■ ■■ , x n , yi, 2/2, • ■ • , y n ) due to the convergence for 
long sequences. 

We then compute the state metrics recursively using the 
transition probabilities p(x k +i, z k+ i,y k+ i, s k+ i\s k ). For the 
binary system we use the transition probabilities labeled in 
Fig. [2] We have, 



(sfe+i) = ^2 ^2 Hk (sfc )p(xk+i , z k +i , yk+i , sfc+i i sk) , 



(11) 



Vk 



-i(s k +i) = ^ ^ Vk(sk)p(xk+i, Zk+i,yk+i, Sk+i\sk)- (12) 



We can compute the probabilities p(yi,y 2 ,--- ,y n ) and 
p(xi,x 2 , ■ ■ ■ ,x n ,yi,y 2 , ■ ■ ■ ,y n ) as the sum of all the final 
state metrics as follows: 

P(yi,V2, ■•',Vn) = ^2^n(s n ), (13) 

8 n 

p(xi,x 2) ■ ■ ■ ,x n ,yi,y 2 , ■ ■ ■ ,y n ) = v n {s n ). (14) 

For large n values, the state metrics /Xfc(-) and v k {-) tend to 
zero. Therefore, in practice the recursion is computed with 
scale factors as follows: 

Vk+l(Sk+l) = "Vfc + i ^2 ^2 ^ Vk(Sk)p(%k-\-l, Zk+1, Vk+1, Sfc+1 |Sfc), 
z k + l x k + l s k 

(15) 

Uk+l(sk+l) = ^v k + 1 y] ?,"k(Sk)p(xi e +l, Zh+l,Vk+l, Sk+l\sk), (16) 
z k+l s fc 

where positive scale factors {X Ul , A M2 , • ■ • , A Mn } and 
{A,^ , X U2 , • ■ • , X Vrl } are chosen such that, 



}^n{s n ) = 1- 



(17) 
(18) 
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Fig. 4. Information leakage rate, I p , versus wasted energy rate, E w , for 
Px = 0.5 and p z = 0.5. 



Fig. 5. The Pareto optimal (I P ,E W ) pairs for p x = 0.5 and for different 
p z values. Optimal pairs for different p z values are illustrated with different 
markers. 



Finally, the joint probabilities can be computed from the 
following equations: 

1 1 " 
logp(yi,y 2 ,--- ,Vn) = ~ Y] log A Ml , (19) 

i=i 

1 1 n 
logp(xi,x 2 , • • ■ ,x n ,yx,y 2 ,--- ,Vn) = - V^logA^. 

»=i 

(20) 

We note here that this computation method applies to any 
discrete model, including an input load with memory, and is 
not limited to the binary system model considered in this pa- 
per. However, identification of the optimal system parameters 
becomes computationally intractable with an increase in the 
size of the input and output alphabets, or the battery size. 

V. Results and Observations 

In this section, we analyze the trade-off between the infor- 
mation leakage rate and energy efficiency numerically using 
the computation method presented in Section [TV] Based on 
these numerical results we provide various observations and 
conclusions regarding the optimal operation of the EMU 
from a joint privacy-energy efficiency perspective. In our 
simulations we focus on the binary model illustrated in Fig. [2] 
We focus on a binary system for its simplicity, as otherwise, 
the transitions in the state diagram get very complicated and 
the numerical computation outlined in Section [TV] becomes 
intractable. Later in Section IV-CI we also consider the system 
with K > 2 in the absence of an EH unit, and study the effects 
of the battery capacity on the performance. Furthermore, 
in Section IV-DI we consider a system with high privacy 
requirements in the absence of an EH unit, and allow the 
user to waste grid energy in order to increase privacy. In 
our simulations, we perform an exhaustive search by varying 
the transition probabilities in Fig. [2] with 0.1 increments and 
calculate the information leakage rate for each EMU policy. 
We use n — 10 6 for the computations. 



A. Effects of energy harvesting rate on privacy and energy 
efficiency 

We illustrate the effects of EH rate on both privacy and 
energy efficiency for an EH system with and without an RB, 
and also show how privacy and energy efficiency change in the 
presence of an RB. Fig. [3] illustrates the minimum information 
leakage rate I p and the corresponding wasted energy rate E w 
with respect to the EH rate p z for an EH system with and 
without an RB. The results are obtained for an equiprobable 
input load p x = 0.5 and different p z values. In a system with 
an EH device the privacy improves with increasing values 
of p z . This is expected since more energy is provided from 
the energy harvester as p z increases; and hence, the UP can 
learn less about the actual energy consumption of the user. 
On the other hand, an increase in the EH rate leads to an 
increase in the wasted energy rate as well. This is due to the 
independence of the energy generation process and the input 
load. When the EH device harvests a unit of energy, if there is 
no demand from the appliances and the RB is already charged, 
this harvested energy will be wasted. Therefore, we can easily 
notice the trade-off between the information leakage rate I p 
and the wasted energy rate E w in the system when there is no 
storage unit. 

Comparing the two curves in Fig. [5] we observe that 
introducing an RB into the system improves the trade-off to 
a certain extent. It reduces both the minimum information 
leakage rate I p and the corresponding wasted energy rate E w . 
When there is no energy harvesting, i.e, p z = 0, the system 
reduces to the model studied in |[T6l . In this case, the minimum 
information leakage rate is found to be I p = 0.5 for p x = 0.5. 
However, when there is an alternative energy source in the 
system, i.e., p z ^ 0, the information leakage rate can be 
reduced significantly. The EH rate can be considered as a 
system parameter that defines the achievable privacy-energy 
efficiency trade-off, and needs to be chosen by the system 
designer depending on the input load and the desired operating 
point. 



B. Privacy-energy efficiency trade-off 

TABLE I 

RESULTS FROM THE TRADE-OFF PAIRS FOR DIFFERENTp z 
VALUES 
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In Section IV-AI we have found the wasted energy rate 
corresponding to the battery policy that minimizes the infor- 
mation leakage rate. Here, we characterize the whole trade-off 
between the privacy and energy efficiency for given EH rates. 
The trade-off for the values of p x — p z — 0.5 is illustrated in 
Fig. [4] Each circle in the figure marks an (l p ,E w ) pair that 
can be achieved by assigning different transition probabilities 
labeled on Fig. [2] The Pareto optimal trade-off curve is the 
one that is formed by the points on the lower-left corner of 
the figure, i.e., the points for which I p and E w cannot be 
improved simultaneously. The minimum information leakage 
rate value is I p — 0.088 for which we have E w = 0.163. 
The minimum wasted energy rate is E w = 0.125 for which 
we have I p — 0.171. These two pairs correspond to the 
corner points of the trade-off curve in Fig. |4] According to the 
requirements of the system, the operating point can be chosen 
anywhere on the trade-off curve. Note that, we can apply a 
convexification operation on the set of achievable (I p ,E w ) 
pairs using time-sharing arguments. 

We also study the trade-off between the information leakage 
rate, I p , and the wasted energy rate, E w , for different p z values 
to observe the effect of the EH rate on the achievable privacy- 
energy efficiency trade-off. Fig.|5]illustrates the Pareto optimal 
[I p ,E w ) pairs for p x — 0.5 and for different p z values. 
Each marker in the figure marks an (l p7 E w ^) pair achieved 
by assigning different transition probabilities, and we include 
only the points that are not Pareto dominated by any other 
point. We obtain a different privacy-energy efficiency trade-off 
for each p z value as illustrated in Fig. [5] The corner points 
of these trade-off curves are listed in Table [Q for different p z 
values. Since there is no harvested energy in the system for 
p z = 0, there is no wasted energy and as a result, the optimal 
operating point is found as the minimum information leakage 
rate, I p = 0.5 and wasted energy rate, E w = 0, which is 
the same as the model studied in lfl6l . Note that while the 
minimum information leakage rate decreases with increasing 
values of p z , the minimum wasted energy rate increases. When 
energy is harvested with p z = 1, the optimal point is found 
to be I p = and E w =0.5, that is, perfect privacy can be 
achieved at the expense of wasting half of the harvested energy 
on average. In this case, there is no information leakage since 
the user never asks energy from the UP and the wasted energy 
rate converges to Pr{X = 0} = 1 — p x . 

We also study biased input loads by considering the two 
cases with p x — 0.89 and p x — 0.11, which we call the 
heavy load and light load scenarios. The entropy rate of the 
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Fig. 6. Finite state diagrams for battery-conditioned energy management 
policies with battery capacities K = 3 and K = 4. Symmetric and 
complementary transition probabilities are illustrated for the computation of 
the minimum information leakage rate in case of an equiprobable input load, 
i.e., p x = 0.5. 

input load for both the heavy and light load cases is H(X) = 

0. 5. Note that the input load is biased towards X = 1 for 
the heavy load system, i.e., the appliances are more likely 
to demand energy. For the heavy load case when we do not 
have an EH unit in the system, i.e., p z = 0, we find the 
minimum information leakage rate to be I p — 0.23 lfl6l . When 
there is an energy harvester in the system with p z = 0.5, 
the minimum information leakage rate reduces significantly 
to I p — 0.026 while the corresponding wasted energy rate is 
E w = 0.043. The minimum wasted energy rate is obtained as 
E w — 0.011 for which we have I p = 0.105. It is obvious that 
wasting energy is less likely in the heavy load case. The energy 
is wasted only when we have = l,Xi+\ — 0,z J+ i = 1 as 
shown in Fig. [2] Thus, when the appliances have higher energy 
demands, the user is less likely to face the condition for energy 
wasting. Similarly, in the light load case, i.e., p x = 0.11, E w 
increases as less energy is required by the appliances. For 
example, the minimum information leakage rate is found to 
be I p = 0.027 with E w — 0.088, and the minimum wasted 
energy rate is found to be E w — 0.087 for I p = 0.03. We 
observe that both the heavy and light load systems can achieve 
almost the same level of maximum privacy while the wasted 
energy rate of the light load system is double the rate of the 
heavy load system at this point of operation. 

C. Effects of battery capacity on privacy 

We have observed that alternative energy sources can help 
reduce the information leakage rate significantly while RBs 
help improve the energy efficiency as well as privacy. Next, 
we study the effects of the RB capacity on privacy. It is 
expected that if we increase the RB capacity K, the trade- 
off curve illustrated in Fig. [4] will move toward the origin, 

1. e., the privacy and energy efficiency will be improved si- 
multaneously. For example, in the asymptotic limit of infinite 
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Lg. 7. Minimum information leakage rate, /„ versus battery capacity, K. Rg g Information Ieakage ratej Jj)i versus wasted energy ratej Ew> for the 

case of wasting grid energy. 



storage capacity, perfect privacy can be achieved by charging 
the battery initially, and never asking for any energy from the 
UP afterwards. To highlight the effects of the battery capacity 
on the achievable privacy we consider an RB with capacity 
K, and no EH device. While the complexity of the numer- 
ical analysis grows quickly with the battery size, we have 
observed that for an equiprobable input load, i.e., p x = 0.5, 
there is a symmetry and complementarity among the opti- 
mal transition probabilities in the finite state diagram which 
significantly reduces the computation time of the minimum 
information leakage rate. The minimum information leakage 
rate is achieved when, 1) the sum of transition probabilities 
between two states is equal to one, and 2) there is a symmetry 
in the transition probabilities of the two sides of the finite state 
diagram separated by the line of symmetry. Fig. [6] depicts this 
symmetry and complementarity on a finite state diagram for 
battery capacity K = 3 and K — 4, respectively. Using this 
observation which reduces the complexity of the computation, 
we have increased the battery capacity K and obtained the 
minimum information leakage rates corresponding to different 
values of K. For moderate battery capacity values Fig. [7] 
illustrates the effects of the battery capacity on the minimum 
information leakage rate I p for p x = 0.5. The minimum 
information leakage rate falls below 0.1 even with an RB of 6 
units of capacity. This result shows that even a small increase 
in the RB capacity leads to a significant reduction in the 
minimum information leakage rate. As RB capacity increases 
more, the minimum information leakage rate I p continues to 
decrease, but with a decreasing slope. 

D. Privacy at the expense of wasting grid energy 

We have already shown that whenever the user has higher 
privacy requirements, the system with EH and RB units can 
provide strong privacy assurances by simply increasing the 
EH rate, p z . When there is no EH unit in the system, we 
need to increase the capacity of the RB to cope with high 
privacy requirements. However, increasing the capacity of the 
RB can be costly or even physically impossible. In this case 
the privacy of the user can be improved by allowing the user 



to demand energy from the UP even when there is no energy 
demand from the appliances, i.e., Xi = 0, and the RB is already 
full, i.e., hi = K. Through wasting additional energy from the 
UP, which is likely to be more expensive than the harvested 
energy, the energy consumption profile of the appliances can 
be further hidden from the UP and privacy can be increased 
up to perfect privacy by increasing the energy waste level. 

To study the effects of wasting grid energy on privacy, we 
consider battery conditioned policies with binary input/output 
load values and an RB with capacity of K units. Let RB 
be fully charged at time instant i, i.e., bi = K. Even if the 
appliances do not consume any energy at time instant i + 1, 
i.e., Xi+i = 0, we allow the EMU to demand energy from 
the UP, i.e., yi+i = 1, with probability p w , and y J+ i = 
with probability (1 — p w ). In other words, we allow wasting 
the grid energy with probability p w , by which we obscure 
the information of the UP about the real energy consumption. 
Fig- E illustrates the achievable points on the (l p ,E w ) trade- 
off, obtained for an equiprobable input load, p x = 0.5, and for 
increasing RB capacity values, K = 1, K = 2, and K = 3. 
In this simulation, to keep the simulation time reasonable 
we find the achievable points for each capacity value K, 
by considering only complementary transition probabilities 
as depicted in Fig. [6] such that the sum of the transition 
probabilities between two states is equal to 1. Moreover, we 
compute the wasted energy rate by using Eqn. (O, but we 
choose Zi — in the equation since there is no EH unit 
in the current scenario. We can see that the privacy can 
be significantly improved by wasting more energy, i.e., by 
increasing p w . For instance, when perfect privacy is required 
by the system, the information leakage rate can be reduced to 
zero by wasting energy with p w = 1. The wasted energy rate 
converges to Pr{X = 0} = 1 — p x on average for p w = 1, 
i.e., E w = 0.5, because we waste energy only when the RB 
is fully charged, bi = K, and there is no input load, = 0. 
If we increase the RB capacity K, as we can see in Fig. [8] 
both the information leakage rate and the wasted energy rate 
are improved for the same energy waste probability, p w . The 



operating point on the trade-off curve can be chosen according 
to the privacy requirement of the system and the cost of energy 
provided by the UP. 

VI. Conclusions 

We have studied the privacy-energy efficiency trade-off in 
smart meter systems in the presence of energy harvesting and 
storage units. We have considered an EH unit that provides 
energy packets at each time instant in an i.i.d. fashion, and a 
finite capacity rechargeable battery that provides both energy 
efficiency by storing extra energy for future use, and increased 
privacy by hiding the load signature of the appliances from the 
utility provider. We have used a finite state model to represent 
the whole system, and studied the information leakage rate 
between the input and output loads to measure the privacy of 
the user from an information theoretic perspective. 

We have used a numerical method to calculate the informa- 
tion leakage rate. Due to the memory introduced by the RB, 
obtaining a closed-form expression for the information leakage 
rate is elusive. For the sake of simplicity, we have consid- 
ered binary input and output loads and focused on battery- 
dependent energy management policies in our simulations, 
and numerically searched for the energy management strategy 
that achieves the best trade-off between privacy and energy- 
efficiency. We have shown that the information leakage rate 
can be significantly reduced when both an energy harvester 
and an RB are present. As the EH rate increases, we have 
observed that the privacy of the system significantly improves. 
On the other hand, this also increases the amount of wasted 
energy. For a fixed EH rate, we have numerically obtained 
the optimal trade-off curve between the achievable information 
leakage and wasted energy rates. Different points on this trade- 
off curve can be achieved by changing the stochastic battery 
policy used by the energy management unit. According to 
the needs and priorities of the system, an operating point can 
be chosen on this trade-off curve. We have also obtained the 
corresponding trade-off curves for different EH rates. 

We have studied the effects of the battery capacity on the 
achievable privacy by focusing on a system with only an RB. 
We have observed that increasing the capacity of the RB has a 
significant impact on the reduction of the information leakage 
rate, and thereby, on the privacy. Moreover, we have examined 
the wasting of grid energy to fulfill the increased privacy 
requirements of the user when there is only an RB in the 
system. We have observed that even in the absence of an EH 
device and with a finite capacity RB, the privacy level can be 
increased up to perfect privacy by wasting more energy from 
the grid. 
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